Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*

Can I do that? Can you give me an example of how this can be done?

I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?

I want to allow SSH to be used only for some IPs but I want them to add like 100.15.25.*

Can I do that? Can you give me an example of how this can be done?

I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?

Thanks.

SSH is too insecure. It allows access, and terminal level control.
However, if you want this. Thereīs scripting. Where you can easily enter the IP in the script, and define the ip range directly, also; within that very script.

I've not set any firewall rules yet by manually and only 5 or 6 ports are listening from by services. Does it cause a problem to leave other ports accessible? Or If no services listen a port, does that port still accessible? Should I close them? And how?

A port is only open if something is listening on it. There's nothing wrong per se with only making sure you don't have any unwanted ports open, but using a firewall to make sure is a good idea. A firewall lets you set up access restrictions (such as the iptables example above) and it can protect you from certain configuration mistakes.

Well, without seeing your iptables (and I don't suggest posting them here), it's hard to say. You should have a DROP policy or declare a final DROP rule after you open the ports you want.
I'm not really sure what you want do do: allow your list to ssh in or ssh out as the rules are different in each case. Are you protecting or limiting an internal net behind your machine?

If it is a single machine then I'd assume you are interested in allowing only a certain group of sources in. And assuming you already have a few set up, then inserting a specific rule BEFORE all your other rules would be effective. (iptables -I INPUT -p tcp --dport 22 -s 100.15.25.0/24 -j ACCEPT) does it. But then you might want to put a general DROP just after it. You could do that by inserting the general DROP rule first and then insert the specific ACCEPT. -I (insert) without a rule number just inserts it at the front of the chain, so inserting DROP first and then ACCEPT sets then up in the correct order at the front of the chain.

I think it is bad policy to assume that nothing is listening on a port and generally give explicit DROP rules.

You can look at what is set up by issuing the iptables list command like this as sudo or root. I use a sudo. $ sudo /sbin/iptables -L -v -n --line-numbers
This gives the rule numbers by chain.

Do I allow the first IP range and second IP both, or the second one rewrite the first one?

Also I have a web server and I just realized that my server got attacked from SSH by brute force. I moved SSH port to another port but I want to close all ports except 80, 21 etc... But if a non-listened port doesn't cause any security risk, I don't need to do it. Just want it for the security and attack blocking reasons.

When you say you block all ports first and then ACCEPT, I am assuming you meant DROP all and then ACCEPT. That will not work as once they are DROPed, the ACCEPT rule will never see them as processing stops on a packet that is dropped. And yes you can have as many ACCEPT rules as you need. Once a packet is accepted, processing on that packet depends on what is listening on that socket (port). The rules are processed in order and processing is determined by the -j target.

Another early rule should be iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT to accept established connections.

Just ACCEPT the ports you want first and finish up with a DROP rule. This one is general: iptables -A INPUT -j DROP

Be sure to list the rules to see it they execute in the order you desired. You may need to flush existing rules before you set up the table.

Another thing you might want to consider is running fail2ban, which scans your logs for failed logons and dynamically updates your firewall to ban the offending ip address. It works not only for SSH, but a variety of other services.

I use it because a few of the branch offices I work out of have dynamically assigned ip addresses, which opens up a quite large ip range that is able to SSH in.